\subsection{Motivation}
\label{sec:motivation}

Name resolution is an important mechanism for the operation of computer systems.  However, its use has caused several vulnerabilities which are hard to remove.  Two common attacks are improper binding attack, where an adversary gains indirect access to a resource by confusing a victim process, and improper resource attack, where an adversary gets direct access through the victim.

%Not sure where to put this. Kind of an undeclared reference to some defenses.  Name resolution attacks engage two components.  First component manages the namespace and the second one uses the namespace.  Considering these two components four different types of defenses are identified to prevent name resolution attacks in [15].  These are system resource restriction, capabilities, namespace management, and program resource restriction.

The basic problem definition addressed by this project is the impossibility of a mechanism for avoiding race conditions from user space that allow name resolution attacks.  Secondarily, we augment the security policies currently used by extending the trust model in use to account for authorized root processes that nevertheless maliciously affect the state of the system.

In the current manifestation of SELinux, the adversary model omits this case by basing labels on location, so that if a process can gain access to the $/etc/$ directory any modification by that process to this directory will be taken as trusted by giving it a trusted label purely based on being in the $/etc/$ directory.  But this is not effective as a trust model because anybody who can access to $/etc/$ can modify these files and those can be adversaries who have otherwise gained authorization into the system.  Therefore a method is needed to extend access policy to cover the confused deputy problem.

%A common threat model is where a malicious process with write access modifies high integrity files as in TOCTTOU attacks.  

%Policy:  Kernel security can enforce MAC, but labels are ambiguous.  SELinux label is by directory, so once a privileged process is infected???
